Home

Description

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).

PUBLISHED Reserved 2025-12-12 | Published 2026-02-24 | Updated 2026-02-24 | Assigner CERT-PL




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 1.24.0190
affected

Default status
unaffected

Any version before 6.61.0010
affected

Default status
unaffected

Any version before 6.61.0010
affected

Default status
unaffected

Any version before 6.61.0010
affected

Credits

Dariusz Gońda finder

References

cert.pl/posts/2026/02/CVE-2025-14577 third-party-advisory

www.slican.pl/oferta/centrale-telefoniczne/ product

cve.org (CVE-2025-14577)

nvd.nist.gov (CVE-2025-14577)

Download JSON